I'm struggling to configure docker-compose file in order to achieve below structure. Web container needs to be accessible through virtual pcs, physical devices (local & external), but the Keycloak container needs to be only accessible by web container. How can I achieve this?
Web Container starts flask app expose on port 5000.
My docker-compose file currently:
version: '2'
services:
web:
build: .
ports:
- '5000:5000'
volumes:
- .:/app
depends_on:
- keycloak
keycloak:
container_name: keycloak
image: jboss/keycloak:13.0.1
ports:
- '8080:8080'
environment:
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
CodePudding user response:
If a container doesn't have ports:, it (mostly*) isn't accessible from outside of Docker. If your goal is to have the container only be accessible from other containers, you can just delete ports:.
In comments you ask about the container being reachable from other containers. So long as both containers are on the same Docker network (or the same Compose-provided default network) they can communicate using the other container's Compose service name and the port the process inside the container is listening on. ports: aren't required, and they're ignored if they're present.
So in your setup, it should be enough to remove the ports: from the keycloak container.
version: '2.4'
services:
web:
build: .
ports:
- '5000:5000'
depends_on:
- keycloak
# can call keycloak:8080
keycloak:
image: jboss/keycloak:13.0.1
environment: { ... }
# no ports:, container_name: is also unnecessary
(*) On a native-Linux host, the container's Docker-internal IP address will be reachable from the same host, but not other hosts, if you have some way of finding it (including port-scanning 172.16.0.0/20). If someone can run docker commands then they can also easily attach other containers to the same network and gain access to the container, but if they can run docker commands then they can also pretty straightforwardly root the entire host.